Reliability  Engineering  and  System  Safety  104  (2012) 


ELSEVIER 


Contents  lists  available  at  SciVerse  ScienceDirect 

Reliability  Engineering  and  System  Safety 

journal  homepage:  www.elsevier.com/locate/ress 


ENGINEERING 


Towards  fault-tolerant  decision  support  systems  for  ship  operator  guidance 

Ulrik  D.  Nielsen3’*,  Zoran  Lajicb,  J0rgen  J.  Jensen3 

a  Department  of  Mechanical  Engineering,  Technical  University  of  Denmark,  Kgs.  Lyngby,  Denmark 
bA.P.  Moller-Msersk,  Copenhagen,  Denmark 


ARTICLE 


N  F  0 


ABSTRACT 


Article  history: 

Received  19  September  2011 
Received  in  revised  form 
13  April  2012 
Accepted  22  April  2012 
Available  online  30  April  2012 

Keywords: 

Fault  diagnosis 
System  models 
System  reliability 
Transfer  functions 

Fault-tolerant  decision  support  systems 
Sea  state  estimation 


Fault  detection  and  isolation  are  very  important  elements  in  the  design  of  fault-tolerant  decision 
support  systems  for  ship  operator  guidance.  This  study  outlines  remedies  that  can  be  applied  for  fault 
diagnosis,  when  the  ship  responses  are  assumed  to  be  linear  in  the  wave  excitation.  A  novel  numerical 
procedure  is  described  for  the  calculation  of  residuals  using  the  ship’s  transfer  functions  which 
correlate  the  wave  excitation  and  the  ship  responses.  As  tests,  multiplicative  faults  have  artificially 
been  imposed  to  full-scale  motion  measurements  and  it  is  shown  that  the  developed  model  is  able  to 
detect  and  isolate  all  faults. 

©  2012  Elsevier  Ltd.  All  rights  reserved. 


1.  Introduction 

Today,  onboard  monitoring  and  decision  support  systems  are 
installed  on  many  commercial  and  navy  vessels.  In  the  present 
context,  ‘decision  support’  relates  to  operator  guidance  for  the 
ship’s  master  with  respect  to  deciding  on  course  and  speed  to 
keep  wave-induced  responses  (motions,  accelerations,  etc.)  below 
an  acceptable  limit.  Typically,  several  responses  are  monitored  by 
measurements  from  a  system  of  sensors  that  could  be  as  indi¬ 
cated  in  Fig.  1.  The  decision  support  system  (DSS)  is  conceptually 
based  on  a  principle  which  involves  hydrodynamical  and  math¬ 
ematical  models  in  combination  with  information  about  the  sea 
state  (see  Section  1.2).  The  overall  idea  is  sketched  in  Fig.  2,  where 
‘Output’  is  guidance  in  terms  of  predicted  responses.  The  pre¬ 
dicted  responses  apply  to  given  operational  conditions,  including 
speed  and  course,  and  will  facilitate  an  evaluation  of  risks 
associated  to  the  considered  conditions.  In  the  end,  this  should 
lead  to  future  response  measurements  below  acceptable  limits. 

Decision  support  systems  should  be  applied  only  when  the 
quality  of  associated  sensors  and  software  is  tested,  securing  the 
whole  integrated  system  to  be  generally  well-working,  Nielsen 
et  al.  [23],  On  the  other  hand,  it  can  never  be  avoided  that  sensors, 
or  their  corresponding  signals,  at  some  stage,  are  likely  to  be 
corrupted  by  faults.  It  is  therefore  vital  to  be  able  to  automatically 
detect  any  faults  that  may  occur  in  a  decision  support  system 


*  Corresponding  author. 

E-mail  address:  udn@mek.dtu.dk  (U.D.  Nielsen). 

0951-8320/$ -see  front  matter  ©  2012  Elsevier  Ltd.  All  rights  reserved. 
http://dxdoi.Org/10.1016/j.ress.2012.04.009 


during  operation,  so  that  information/warnings  can  be  issued 
about  unreliable  results.  As  a  direct  extension  to  ‘fault  detection’ 
comes  a  wish  to  make  a  decision  support  system  fault-tolerant. 
This  means  that  the  system  has  the  ability  to  react  on  the 
existence  of  fault(s)  by  adjusting  its  activities  to  the  faulty 
behaviour  of  the  system.  Fault-tolerant  decision  support  systems 
for  ship  operator  guidance  are  not  standard,  and  little  work  has 
been  done  so  far  in  the  area.  However,  recent  research  has  been 
initiated,  e.g.  Lajic  [15],  Lajic  and  Nielsen  [17],  Lajic  et  al.  [16,18], 
and  it  is  foreseen  that  many  improvements  in  this  area  will  be 
made  in  the  future. 

The  present  paper  summarises  important  findings  made  in  a 
recent  Ph.D.  work,  Lajic  [15],  on  fault-tolerant  monitoring  and 
decision  support  systems.  Specifically,  work  was  carried  out  to 
improve  the  reliability  and  dependability  of  decision  support 
systems  applied  for  matters  of  ship  safety.  This  included  the 
development  of  algorithms  incorporating  fault  diagnosis  techni¬ 
ques  and  improving  the  multi-sensor  data  fusion  taking  place  in 
most  monitoring  and  decision  support  systems. 

1.1.  Literature 

Although  the  introduction  of  fault  diagnosis  techniques  is  new 
within  the  scope  of  decision  support  systems  for  ship  safety,  there 
is  an  existing  literature  on  fault-tolerant  approaches  and  algo¬ 
rithms  for  control  of  general  ship  components  (engine,  propulsion 
system,  rudder,  etc.)  and  particular  responses.  The  present  work 
has  its  foundation  in  some  of  this  literature  which  includes:  three 
papers  by  Blanke  [3,4,6]  in  which  fault  diagnosis  and  fault- 


U.D.  Nielsen  et  al.  /  Reliability  Engineering  and  System  Safety  104  (2012)  1  -1 


Fig.  1.  Example  of  sensor  arrangement  on  a  ship. 


measurements  can  be  used  to  supplement  shipboard  wave  estimations  in  the 
mathematical  model  [22], 


tolerant  control  approaches  are  advocated  for  as  means  to 
enhance  maritime  and  navigational  safety.  In  Blanke  et  al.  [7] 
the  re-configuration  possibilities  for  a  ship  propulsion  system 
with  a  main  engine  and  a  controllable  pitch  propeller  have  been 
analysed  and  it  has  been  demonstrated  how  fault  tolerance  could 
be  achieved  against  a  critical  sensor  failure.  Similarly,  sensor 
fault-tolerant  control  for  a  ship  propulsion  system  is  presented  in 
Wu  et  al.  [31],  and  implementation  of  the  onboard  control  and 
monitoring  system  for  unmanned  underwater  vehicles  has  been 
presented  in  Tiano  et  al.  [30],  Furthermore,  applications  have 
been  presented  for  early  detection  of  parametric  roll  by  Galeazzi 
etal.  [10,11], 

1.2.  Sea  state  estimation 

A  delicate  and  crucially  fundamental  part  of  decision  support 
systems  is  the  part  which  concerns  the  onboard  estimation  of  the 
sea  state  at  the  advancing  ship’s  exact  position  in  the  ocean.  Thus, 
the  combined  use  of  the  estimated  sea  state  and  mathematical/ 
hydrodynamical  models  of  the  ship’s  behaviour  to  waves  makes  it 
possible  to  (statistically)  predict  about  the  future  responses 
of  the  ship  expected  in,  say,  a  30  min  horizon.  Basically,  two 
approaches  exist  for  onboard  sea  state  estimation:  (1)  the  wave 
buoy  analogy,  which  processes  measured  ship  responses  to  give 
an  estimate  of  the  wave  environment  and  (2)  wave  radar  systems. 
The  use  of  satellite  data  is  not  yet  a  feasible  approach  for 
onboard  wave  measurements,  although  in  the  future  this  could 
change.  The  present  work  relies  on  the  wave  buoy  analogy 
[12,20,21,24,27,26,29]  where  the  fundamental  input  is  a  set  of 
response  measurements  (motions,  accelerations,  strains,  etc.).  In 


I  Measured  _  I  Signal 

I  Responses  I  I  Processing 

N _ 

|  Calculation 

/ 


Wave  I J  Response  I 

Spectrum  |  |  Calculation  | 

t 

Complex 

Transfer  Functions 


Actions  to  minimize  error 

Fig.  3.  The  fundamental  idea  in  the  estimation  of  wave  spectra  based  on  measured 
ship  responses. 


this  way,  the  way  buoy  analogy  utilises  onboard  response  mea¬ 
surements  that  are  often  carried  out  irrespectively  on  many  of 
today’s  naval  and  commercial  vessels.  Consequently,  the  wave 
buoy  analogy  is  a  relatively  inexpensive  estimation  concept,  since 
the  system  development  is  associated  with  software  only  [24],  The 
wave  buoy  analogy  as  such  will  not  be  considered  herein  but  a 
graphical  illustration  of  the  procedure  is  given  in  Fig.  3  [1]  and 
detailed  information  can  be  found  in  the  given  references. 

1.3.  Objectives 

The  overall  objective  of  this  work  is  to  improve  the  reliability 
and  dependability  of  decision  support  systems  for  ship  operator 
guidance  with  respect  to  wave-induced  responses.  In  general,  the 
following  techniques  are  suggested  to  improve  the  overall  relia¬ 
bility  and  dependability  of  onboard  systems: 

•  Fault  diagnosis  means  to  detect  the  presence  of  faults  in  the 
system.  Faulty  signals )  should  be  discarded  from  the  proce¬ 
dure  for  sea  state  estimation  if  it  is  possible,  if  not  the  fault 
should  be  estimated.  When  the  sea  state  estimation  is  con¬ 
ducted  by  the  wave  buoy  analogy,  e.g.  [20,21  ],  it  is  sufficient  to 
use  three  different  ship  responses  and  usually  the  responses  of 
more  sensors  are  available. 

•  Sensor  fusion  quality  test  means  to  decide  which  three  ship 
responses  would  be  the  most  suitable  combination  for  wave 


Measured 

Response 


Calculated 

Response 


U.D.  Nielsen  et  al.  /  Reliability  Engineering  and  System  Safety  104  (2012)  1-14 


spectrum  estimation.  The  sensor  fusion  quality  test  should  be 

applied  to  each  combination  of  three  non-faulty  signals. 

It  is  noteworthy  that  this  paper  deals  with  the  first  item  -  Fault 
diagnosis  -  only.  This  choice  is  made  for  matters  of  space 
limitations  and  since  the  sensor  fusion  quality  test  still  needs  to 
be  elaborated  on. 

In  the  original  work  by  Lajic  [15]  two  models  for  fault 
diagnosis  are  discussed:  the  time  domain  model  based  on  ship 
kinematics,  and  the  frequency  domain  model  based  on  linear 
spectral  analysis.  By  the  use  of  linear  spectral  analysis,  it  is 
possible  to  define  equations  which  correlate  different  ship 
responses  through  transfer  functions.  With  the  frequency  domain 
model,  all  faults  can  be  isolated  and  their  magnitudes  can  be 
estimated.  On  the  other  hand,  using  the  time  domain  model 
independently,  all  the  faults  can  be  detected,  but  not  isolated. 
This  means  that  additional  techniques  should  be  employed,  like 
active  fault  detection  or  direct  evaluation  of  Gaussian  zero-mean 
ship  responses  by  the  GLR  (generalised  likelihood  ratio)  test.  In 
this  paper,  focus  will  therefore  be  on  the  frequency  domain  model 
only.  It  should  be  noted  that  the  frequency  domain  model,  using 
transfer  functions  for  calculating  the  residuals,  is  a  new  numerical 
procedure  for  fault  diagnosis. 

1.4.  Composition  of  paper 

The  paper  has  been  divided  into  six  main  sections.  The  next 
section,  Section  2,  briefly  describes  the  main  principles  of  fault- 
tolerant  onboard  decision  support  systems  and  the  basics  of  fault 
diagnosis  will  be  introduced.  Moreover,  the  frequency  domain 
(system)  model  will  be  derived.  Section  3  introduces  system  analysis 
and  elaborates  on  the  system  model  by  application  of  structural 
analysis  (of  the  system  structure).  The  goal  of  the  section  is  to  derive 
the  residuals,  which  are  the  primary  target  for  fault  detection  and 
isolation.  Reliable  change  detection  algorithm  is  a  fundamental 
element  for  fault  detection  and  some  basics  of  change  detectors 
are  given  in  Section  4.  In  Section  5,  full-scale  data  is  considered  and 
it  is  shown  that  fault  detection  and  isolation  can  be  achieved  by  the 
developed  model.  Finally,  conclusions  are  made  in  Section  6  which 
also  recommends  future  work. 


2.  Fault-tolerant  monitoring  and  decision  support  systems 

Although  the  following  section  is  written  with  a  focus  on 
monitoring  and  decision  support  systems  the  terminology  is 
relaxed,  so  that  only  systems  will  be  mentioned  (except  for  the 
last  sub-section).  In  this  regards,  one  of  the  several  definitions  of  a 
‘system’  should  be  kept  in  mind,  Miller  [19]:  “A  system  is  a  set  of 
interacting  units  with  relationship  among  them”.  The  section 
introduces  some  standard  terms  and  general  principles  for  fault 
diagnosis,  which  relies  highly  on  Blanke  et  al.  [8],  At  the  end  of 
the  section,  a  documentation  will  be  given  of  the  specific  system 
model  which  will  be  analysed  later  with  respect  to  full-scale 
measurements. 

2.1.  System  behaviour 

A  fault  is  something  that  changes  the  system  behaviour,  so 
that  the  system  no  longer  serves  its  purpose.  The  fault  is  the 
primary  cause  of  system  performance  degradation  or  even  loss  of 
the  system  function.  Therefore,  it  is  very  important  to  find  the 
fault(s)  as  quickly  as  possible  and  to  make  decisions  that  stop  the 
propagation  of  their  effects.  The  aim  of  these  measures  is  to  make 
the  system  fault-tolerant  meaning  that  the  system  is  still  func¬ 
tioning  after  the  appearance  of  a  fault.  A  fault-tolerant  system  has 


the  ability  to  react  on  the  existence  of  the  fault  by  adjusting  its 
activities  to  the  faulty  behaviour  of  the  system.  The  procedure  for 
making  a  system  fault-tolerant  consists  of  two  steps,  cf.  Blanke 
et  al.  [8]: 

(1)  Fault  diagnosis:  The  existence  of  faults  has  to  be  detected  and 
the  faults  have  to  be  identified. 

(2)  Re-design:  The  system  has  to  be  adapted  to  the  faulty  situa¬ 
tion  so  that  the  overall  system  continues  to  satisfy  its  goal. 

A  system  with  an  input  u(t)  and  an  output  y(t)  both  depending  on 
time  t  is  now  considered.  The  pair  (u,y)  is  called  input/output  (I/O) 
pair,  and  the  set  of  all  possible  pairs  that  may  occur  for  a  given 
system  defines  the  behaviour  B.  The  behaviour  B  can  be  defined  as  a 
subset  of  the  space  uxyof  all  possible  combinations  of  I/O  signals. 
In  Fig.  4  a  graphical  interpretation  of  the  system  behaviour  is  given. 
From  the  figure  two  particular  system  behaviours  B0  (faultless)  and 
Bf  (faulty)  are  considered.  The  point  A  represents  an  I/O  pair  that 
may  occur  for  the  faultless  system,  while  the  point  B  represents  a 
pair  which  is  inconsistent  with  the  system  dynamics.  This  means 
that  the  point  B  corresponds  to  an  I/O  pair  influenced  by  a  fault. 

In  general,  any  fault  changes  the  system  behaviour.  Thus,  the 
consequence  of  a  fault  is  that  the  system  behaviour  moves  from  the 
set  B0  towards  the  set  Bf.  In  the  case  of  a  common  input  u,  the  two 
systems  -  faultless  and  faulty  -  will  give  different  outputs  yA  and  yB, 
respectively.  The  change  in  the  system  behaviour  makes  the  detec¬ 
tion  and  isolation  of  a  fault  possible.  However,  the  measurement 
information  (u,y)  alone  is  not  sufficient,  but  a  dynamical  model, 
which  describes  the  nominal  system  behaviour,  is  necessary. 

The  system  model  describes  the  behaviour  of  the  faultless  and 
the  faulty  system  which  means  that  the  model  restricts  the 
possible  I/O  pairs  to  those  that  appear  in  the  behaviour  B0  or  Bf. 
In  other  words,  the  model  is  a  set  of  constraints  on  the  signals  u 
and  y  in  the  system.  In  fault  diagnosis  both  the  input  u  and  the 
output  y  will  be  known  and  it  is  checked  whether  the  I/O  pair 
belongs  to  the  specific  behaviour. 

2.2.  The  diagnostic  principle 

If  a  specific  I/O  pair  {U,Y)  is  represented  by  a  point  A,  cf.  Fig.  4, 
then  for  a  faultless  system  (and  a  correct  system  model)  A  lies  in 
the  set  B0.  On  the  contrary,  a  different  output  Y  is  generated  from 
U  if  the  system  is  faulty.  The  particular  fault  is  said  to  be 
detectable  if  the  I/O  pair  (U,Y)  lies  outside  B0.  However,  if  the 
produced  I/O  pair  corresponds  to  point  B,  cf.  Fig.  4,  the  faulty 
system  leads  to  no  inconsistency  and  the  fault  is  not  detected. 
This  consideration  leads  to  the  foundation  of  the  diagnostic 
principle  which  is  concerned  with  testing  whether  or  not  any 
measurement  (U,  Y)  is  consistent  with  the  system  behaviour. 
Thus,  any  I/O  pair  should  be  checked  with  respect  to  the  nominal 
system  behaviour  and,  in  case  of  a  fault,  the  fault  is  detected  if 


uxy 


Fig.  4.  System  behaviour;  B0  is  a  faultless  case  whereas  Bj  is  a  faulty  case. 


U.D.  Nielsen  et  al.  /  Reliability  Engineering  and  System  Safety  104  (2012)  1-1 


( U,Y)<£B0 .  However,  if  the  I/O  pair  lies  in  Bf  for  a  system  subject  to 
a  fault  f  the  fault  may  occur.  Hence,  /  is  denoted  by  a  fault 
candidate.  The  diagnostic  result  is  usually  a  set  Tc  £  .T7  of  fault 
candidates. 

In  summary,  the  diagnostic  principle  is  based  on  the 
following  test: 

Consistency-based  diagnosis:  For  given  models  that  describe  the 
behaviour  Bf  of  the  system  subject  to  the  faults  /  eT,  test 
whether  the  I/O  pair  ( U,Y)  satisfies  the  relation 
(U,Y)  e  Bf 

From  the  test,  two  outcomes  are  considered: 

•  Fault  detection:  If  the  I/O  pair  is  inconsistent  with  the  beha¬ 
viour  B0  of  the  faultless  system,  (U,Y)^B0,  then  a  fault  is  known 
to  have  occurred. 

•  Fault  isolation  and  identification:  If  the  input/output  pair  is 
consistent  with  the  behaviour  Bf,  that  is,  ( U,Y)eBf ,  then  the 
fault  may  have  occurred. 

On  the  basis  of  the  diagnostic  principle  and  its  consequences  it 
should  be  noted  that  fault  detection  is  possible  without  any 
information  about  the  behaviour  of  the  faulty  system.  Fault  detec¬ 
tion  algorithms  use  only  a  model  of  the  nominal  system.  It  is 
sufficient  to  identify  deviations  of  the  current  system  behaviour 
from  the  nominal  behaviour.  On  the  other  hand,  fault  isolation  and 
identification  are  not  possible  without  information  about  the  faulty 
system.  Therefore,  corresponding  fault  models  have  to  be  known. 

2.3.  Diagnostic  algorithms 

In  fault  diagnosis,  the  sensor  measurement  Y  is  compared  with 
the  analytically  computed  value  Y.  Therefore,  the  consistency  of 
the  system  with  the  model  can  be  tested  at  every  time  t  by 
forming  the  residual 

r(t)=y(t)-y(t) 

In  the  faultless  case,  the  residual  is  close  to  zero.  In  general,  it  is  not 
exactly  zero  due  to  measurement  noise  and  model  uncertainties.  If 
any  fault  exists,  the  residual  has  some  specific,  non-vanishing  value. 

As  pointed  out  by  Blanke  et  al.  [8],  diagnostic  algorithms  for 
continuous-variable  systems  generally  consist  of  two  components, 
see  also  Fig.  5: 

•  Residual  generation:  The  system  model  and  the  I/O  pair  are 
used  to  determine  residuals  which  describe  the  degree  of 
consistency  between  the  system  and  the  model  behaviour. 

•  Residual  evaluation:  The  residual  is  evaluated  in  order  to 
detect,  isolate  and  identify  faults. 


2.4.  Re-design 

The  second  step  towards  a  fault-tolerant  system  involves 
re-design,  which  considers  the  problem  of  changing  the  system 
structure  after  a  fault  has  occurred.  The  aim  is  to  make  the  system 
able  to  serve  its  purpose  after  the  occurrence  of  a  fault.  Two 
principal  ways  of  re-design  have  to  be  distinguished: 

•  Fault  accommodation  (off-line  solution):  Fault  accommodation 
means  to  adapt  the  parameters  to  the  dynamical  properties  of 
the  faulty  system.  The  input  and  output  of  the  system  remain 
the  same  as  for  the  faultless  case.  Fault  accommodation  is 
based  on  predesigned  systems,  each  of  which  has  been  selected 
off-line  for  a  specific  fault.  This  method  is  fast  and  can  meet 


Fig.  5.  Residual  generation  and  evaluation  are  necessary  components  of  diagnos¬ 
tic  algorithms. 

strong  real-time  constraints.  However,  re-design  has  to  be  made 
for  all  possible  faults  before  the  system  is  operative. 

•  Reconfiguration  (on-line  solution):  If  fault  accommodation  is 
impossible,  the  complete  system  has  to  be  reconfigured.  In  this 
case  a  new  system  configuration  is  obtained,  where  alternative 
input  and  output  signals  are  used.  Reconfiguration  is  necessary 
in  case  of  sensor  failure. 

Although  re-design  is  an  important  part  of  a  fault-tolerant 
decision  support  system  this  part  will  not  be  considered  in  the 
present  paper. 


2.5.  The  particular  system  model 

In  the  preceding,  basic  terms  of  fault  diagnosis  were  intro¬ 
duced,  where  the  importance  of  system  models  has  been  reflected. 
In  this  sub-section,  the  particular  system  model,  which  will  be 
analysed  with  data  later,  is  documented.  In  Lajic  [15],  system 
models  have  been  derived  both  for  the  time  domain  and  the 
frequency  domain.  The  focus  herein  is,  however,  on  the  frequency 
domain  model  only. 

The  responses  of  a  ship  in  an  irregular  (long-crested)  seaway 
can  be  deduced  by  the  characteristic  wave  energy  spectrum  Stfco) 
and  the  ship’s  transfer  functions  $(co),  where  a>  is  the  wave 
frequency.  In  this  way,  the  ship  responses  can  be  described  by 
response  spectra  [28],  where  the  spectral  densities  are  equal  to 
the  product  of  the  spectral  density  of  the  waves  and  the  square  of 
the  transfer  functions.  Therefore,  in  the  case  of  long-crested 
waves,  it  follows  that  the  response  spectra  of,  say,  heave,  z,  pitch, 
6,  roll,  cp  and  vertical  acceleration,  a,  amidships  are: 


Sz(O)e)  =  <^(a>e)S;(CBe) 

(1) 

Sfl(COe)  =  <f>l(We)SC(a>e) 

(2) 

ScplWe)  =  ®^(CO<.)Sj(COe) 

(3) 

U.D.  Nielsen  et  al.  /  Reliability  Engineering  and  System  Safety  104  (2012)  1-14 


C4  :  Sa(COe)  =  $2a(c Ue)SC(®e)  (4) 

which  will  be  the  constraints,  c„  of  the  system  model. 

In  Eqs.  (l)-(4),  the  encounter  frequency  coe  has  been  intro¬ 
duced,  since  the  response  spectra  are  derived  from  sensor 
measurements  onboard  the  ship.  The  relationship  between  the 
encountered  frequency  and  the  true  wave  frequency  is  governed 
by  the  Doppler  shift 

a >e  =  a )-m2A,  A  =  ^  cos  /  (5) 

for  the  relative  wave  heading  %  and  speed  \J\  g  is  the  acceleration 
of  gravity.  The  transfer  functions  of  a  ship  are  measures  of  the 
ship’s  seakeeping  performance.  Typically,  the  transfer  functions 
are  obtained  by  linear  frequency  domain  strip  theory,  three- 
dimensional  panel  codes,  or  by  measurements. 

In  addition  to  the  constraints,  Ci,...c4,  the  following  trans¬ 
forms,  t,-,  and  measurements,  m,-,  are  introduced: 


ti  : 

Sz(0)e)  =  mz) 

(6) 

t2  : 

SB(.we)=m 

(7) 

t3  : 

Sv(COe)  =  S(cp) 

(8) 

t4  : 

Sa(coe)  =  S(a) 

0) 

m,  : 

yi=z 

(10) 

m2  : 

y2  =  o 

(11) 

m3  : 

ys=<p 

(12) 

m4  : 

y4  =  a 

(13) 

In  the  present  case,  the  symbol  g( )  denotes  a  transform  operator 
which  transforms  from  time  domain  to  the  frequency  domain. 
It  could  for  example  be  the  fast  Fourier  transform  (FFT). 

For  the  studied  system  model  -  dealing  generally  with  wave-ship 
interactions  -  it  seems  relevant  to  make  a  couple  of  notes  about  the 
implication  of  (particularly)  rough  sea  conditions.  Firstly,  this  paper  is 
intended  to  illustrate  initial  ideas  developed  for  fault-tolerant  decision 
support  systems  and  it  is  therefore  considered  to  be  of  less  impor¬ 
tance  how  accurately  the  hydrodynamic  behaviour  of  a  ship  is 
calculated.  For  this  reason,  all  data  and  results  studied  later  are 
derived  on  the  basis  of  transfer  functions  (obtained  by  the  3D  panel 
code  Wasim  [9])  without  going  into  details  about  accuracy.  However, 
it  is  clear  that  for  rough  wave  conditions,  the  use  of  transfer  functions 
can  generally  lead  to  unreliable  results  due  to  the  inherent  linear 
assumption,  which  is  often  violated  in  rough  sea  conditions.  On  the 
other  hand,  it  should  be  stressed  that  the  suggested  system  model  - 
based  on  frequency  domain  theory,  facilitating  the  use  of  transfer 
functions  -  can  be  extended  to  include  also  time  domain  theory,  see 
[15],  without  introducing  a  linear  assumption  between  the  wave-ship 
interactions.  As  a  second  note,  it  is  worth  to  point  out  that  during 
rough  sea  conditions,  fault  detection  is  particularly  useful,  since  any 
system  sensor  may  observe  continuous  structural  vibrations.  Thus, 
fault  detection  (and  tolerance)  is  fundamental  to  secure  a  system’s 
performance  also  in  the  event  of  degrading  sensors  due  to  unintended 
vibrations.  However,  the  influence  of  the  structural  vibrations  could/ 
should  be  limited  by  a  proper  installation  of  the  sensors. 


3.  System  analysis 

3.1.  Introduction 

In  order  to  have  a  fault-tolerant  onboard  decision  support 
system,  fault  diagnosis  is  a  crucial  element.  Therefore,  already  at 


an  early  design  stage  it  is  important  to  secure  that  it  is  possible  to 
detect  and  isolate  faults.  The  usual  way  to  do  this  is  to  apply 
structural  analysis  (which  should  not  be  confused  with  the  twin 
term  within  the  fields  of  mechanical  and  civil  engineering).  In  this 
section  the  structure  of  the  studied  (dynamical)  system  will  be 
investigated.  By  applying  structural  analysis,  it  is  possible  to 
obtain  answers  regarding  fault  diagnosis  without  detailed  calcu¬ 
lations,  e.g.  the  ability  to  detect  the  fault  or  recover  after  the  fault. 
Structural  analysis  can  be  performed  from  the  early  design  stages 
where  detailed  modelling  has  not  yet  been  made.  For  sensor  fault 
detection,  there  is  a  need  to  find  physical  relations  between 
measured  values.  There  is  no  need  to  express  those  physical 
relations  explicitly.  Rather,  the  structure  of  the  constraints,  that  is 
the  existence  of  relations  between  variables  and  parameters,  is 
considered  only. 

Example.  Basically,  structural  analysis  investigates  the  links 
which  exists  between  variables  and  parameters,  independently 
on  the  form  of  the  underlying  equations  [8],  Often,  structural 
analysis  is  therefore  performed  by  the  use  of  graph  theory,  where 
a  bi-partite  graph  and  an  associated  incidence  matrix  represents  a 
‘qualitative,  very  low-level,  easy  to  obtain,  model  of  the  system 
behaviour’,  Blanke  et  al.  [8],  This  can  be  illustrated  by  a  small- 
scale  example,  where  a  system  described  by  the  following 
equation  is  studied: 

PB  =  2nQn 

PB  is  the  brake  power  of  an  engine,  Q.  is  the  brake  torque,  and  n  is 
the  revolutions  per  second.  The  equation  can  be  transformed  into 
the  following  form: 

Ci  :  PB-2nQn  =  0 

which  means  that  the  constraint  c,  relates  three  variables 
(Pb.Q.h).  Furthermore,  the  brake  power  is  measured  by  a  sensor 
whose  output  is  yi,  and  the  revolutions  per  second  n  by  a  sensor 
whose  output  is  y2.  This  means  that  the  previous  system  obeys 
the  expressions: 

C]  :  PB—2nQn  =  0 
mi  :  y1-PB  =  0 
m2  :  y2-n= 0 

The  known  variables  are  yi  and  y2  only,  because  they  are  the 
measured  sensor  outputs.  All  other  variables  are  unknown.  The 
relations  in  the  system  can  be  summarised  as  follows: 

Ci  relates  PB,Q  and  n 
mi  relates  PB  and  yi 
m2  relates  n  and  y2 

In  the  early  design  phase  of  a  fault-tolerant  system,  these 
relations  are  the  only  concern.  The  structure  of  the  system  is 
presented  at  the  right-hand  side  in  Fig.  6  (the  incidence  matrix), 
where  rows  represent  the  set  of  constraints  and  columns  the  set 
of  variables.  If  a  particular  variable  is  a  member  of  a  particular 


U.D.  Nielsen  et  al.  /  Reliability  Engineering  and  System  Safety  104  (2012)  1-1 


constraint,  T  will  be  written  in  the  cell,  and  if  not  the  cell  will  be 
empty.  Another  way  of  representing  the  relations  in  the  system  is 
to  use  the  graph  shown  at  the  left-hand  side  in  Fig.  6.  It  is  worth 
noting  that  both  the  table  and  the  graph  give  the  same  informa¬ 
tion  about  the  system. 

By  inspection  of  the  incidence  matrix  (or  the  bi-parti te),  it  can 
be  concluded  that  all  the  unknown  variables  in  the  system  can  be 
computed,  since  PB  can  be  computed  from  y,  by  using  the 
measurement  equation  m1  (this  is  denoted  by  the  bold  red  1),  n 
can  be  computed  from  y2  by  using  the  measurement  equation  m2 
and  therefore  Q  can  be  computed  from  the  constraint  Ci.  How¬ 
ever,  there  is  no  need  to  calculate  all  the  variables.  The  important 
thing  is  to  see  if  it  is  possible  to  compute  all  variables  and  if  there 
are  some  equations  which  have  not  been  used  for  computing 
variables.  The  latter  equations  will  be  used  for  extracting  the 
residuals.  In  the  presence  of  a  fault,  the  system  components  no 
longer  satisfy  the  equations  which  are  defined  for  their  normal 
behaviour.  Therefore,  structural  analysis  can  give  the  possibility 
of  detecting  faults.  A  fault-detection  procedure  will  be  presented 
in  Section  5,  where  the  residuals  will  be  evaluated. 

Onboard  systems:  Most  onboard  systems  are  very  complex  and 
therefore  there  is  a  need  for  having  a  tool  to  cope  with  the  complexity 
of  the  systems.  Stmctural  analysis  based  on  graph  theory  is  a  unique 
design  methodology  that  can  cope  with  the  diagnosis  design  for 
systems  of  high  complexity  and  also  be  used  for  analysis  of  the  cases 
of  cascaded  or  multiple  faults,  cf.  Blanke  [5],  From  a  bi-partite  graph, 
it  is  possible  to  obtain  information  about  the  relations  between 
variables,  but  it  is  not  possible  to  obtain  information  about  the 
appearance  of  the  constraints.  If  two  systems  have  the  same  bi-partite 
graph,  those  systems  are  structurally  equivalent.  It  is  noteworthy  that 
systems,  which  have  the  same  structure  but  only  differ  by  the  values 
of  their  parameters,  are  still  structurally  equivalent.  If  a  fault  is 
considered  as  a  violation  of  a  constraint,  it  is  obvious  that  for  fault 
diagnosis,  the  structure  is  of  essential  concern.  The  values  of  system 
parameters  do  not  influence  the  ability  to  detect  or  isolate  a  fault  in 
stmctural  analysis,  but  parameters  can  have  values  such  that  stmc¬ 
tural  detectability  does  not  imply  analytical  detectability. 

In  stmctural  analysis,  it  is  convenient  to  separate  the  set  of  system 
variables  into  unknown  (X)  and  known  ( X)  sets.  In  the  case  of  onboard 
decision  support  systems,  known  variables  are  measured  ship 
responses,  e.g.  pitch,  heave,  roll  motion,  etc.  On  the  other  hand, 
unknown  variables  are  not  measured  but  should  instead  be  com¬ 
puted.  In  the  case  of  onboard  systems,  unknown  variables  include  for 
example  the  wave  spectrum.  The  wave  spectrum  is  not  measured 
directly;  instead  it  can  be  calculated/estimated  by  a  procedure  that 
has  as  input  a  set  of  measured  ship  responses.  Like  the  system 
variables,  the  constraints  can  also  be  divided  into  the  set  Cx 
(unknown)  and  CK  (known).  The  set  CK  contains  constraints  which 
relate  known  variables  only,  and  the  set  Cx  contains  constraints  which 
relate  at  least  one  unknown  variable.  In  order  to  extract  the  residuals 
available  for  fault  diagnosis,  stmctural  analysis  of  the  constraints  and 
the  unknown  variables  may  be  applied.  While  there  are  several  ways 
to  deduct  analytical  redundancy  relations,  stmctural  analysis  is 
particularly  simple;  the  details  are  explained  in  Lajic  [15], 

3.2.  The  frequency  domain  model 

In  the  following,  the  frequency  domain  model  of  an  onboard 
decision  support  system  is  considered.  The  constraints  of  the 
model  were  derived  previously  (Eqs.  (1  )-(4))  but  can  be  rewritten 
in  a  form  which  is  more  convenient  for  the  system  analysis: 

ci:  | ff^=Sc(coe)  (14) 


c2  : 


Srj(COe) 


=  Sr(0>e) 


C3  : 


S<p(CQe) 

&y(OJe) 


=  Sf(cue) 


(15) 

(16) 


c4  :  =  Sf  aie)  (17) 

0„(O)e) 

The  transforms,  ti, . .  .,t4,  and  measurements,  mi,...  ,m4,  are  given 
by  Eqs.  (6)-(9)  and  Eqs.  (10)— (13),  respectively. 

A  bi-partite  graph  of  the  system  is  shown  in  Fig.  7.  The  system 
variables  are  represented  by  circles  and  the  system  constraints  by 
bars.  The  graph  is  based  on  the  system  equations  and  it  provides 
an  overview  of  the  system.  Using  the  graph,  it  is  possible  to  see 
which  constraints  describe  a  particular  variable.  It  is  interesting 
to  note  that  the  variable  S;  (the  wave  energy  spectrum)  is 
connected  with  four  constraints  c1,c2,c3,c4.  In  the  following,  it 
will  be  shown  that  Sr  is  not  a  member  of  any  residual  and  it  will 
not  be  calculated  (directly).  The  residuals  should  contain  only 
known  variables,  i.e.  sensor  measurements.  The  wave  spectmm 
will  be  matched  from  the  constraint  c3.  For  fault  diagnosis,  only 
the  residuals  are  of  interest.  The  set  of  variables  in  the  system  is 
separated  into  the  sets  I<  (known)  and  X  (unknown); 

K  =  {yuy2.y-i.y4} 


X  =  {z,e,(p,a,Sz,SB,Slp,Sa,Sc} 

The  constraints  depend  on  the  transfer  functions  of  the  ship. 
However,  the  transfer  functions  are  known  functions,  since  they 
can  be  calculated  in  advance,  and  they  will  therefore  be  consid¬ 
ered  as  system  parameters. 

The  constraints  are  matched  to  the  unknown  variables,  i.e.  the 
ship  responses,  as  follows: 


mi(yi)^z  (18) 

m2(y2)  -*  9  (19) 

m3Cy3)  -*  <P  (20) 

m4(y4)  -*■  a  (21) 


where  the  standard  notation,  indicated  by  the  arrow  (—»■),  is  used 
to  saying  that  the  variable  on  the  right-hand  side  is  obtained 


©4-©+© 


©+©+©  4hN>-K) 

Fig.  7.  Bi-partite  graph  of  an  onboard  system. 


U.D.  Nielsen  et  al.  /  Reliability  Engineering  and  System  Safety  104  (2012)  1-14 


(matched)  from  a  given  measurement  that  depends  on  a 
specific  variable. 

Previously,  the  response  spectra  (of  the  ship  responses)  have 
been  matched  from  the  transforms  1 1 . . .  t4,  cf.  Eqs.  (6)— (9).  On  the 
other  hand,  the  ship  responses  have  already  been  matched  from 
the  measurement  equations  which  means  that  the  following 
expressions  can  be  derived: 


t-i  (z)  =  U  (mi  (ya))  -vSz  (22) 

t2  (0)  =  t2(m2(y2))^Sg  (23) 

t3(<P)  =  t3(m3(y3))->Sip  (24) 

t4(a)  =  t4(m2(y4))  -*■  Sa  (25) 

ci(Sz)  =  c1(t1(m,(y1)))-Sc  (26) 


Thus,  it  is  possible  to  attain  a  complete  matching  of  the  unknown 
variables.  However,  three  constraints  remain  unmatched.  Each  of 
these  forms  the  basis  of  a  residual  generator  that  can  check  the 
consistency  of  the  constraints.  The  residual  r,  is  given  by 
r,  :  c2[Sr,S0]->0 

and  after  substitution  of  the  unknown  variables  obtained  by 
backtracking  through  the  matching: 

r,  :  c2[c,(t1(m1(y1))),t2(m2(y2))]^0  (27) 

The  residual  r2  is  given  by 
r2  :  c3[Sc,S^]^0 

and  after  substitution 


r2  :  C3[c1(t1(m1(y1))),t3(m3(y3))]^0  (28) 

Finally,  the  residual  r3  follows  from 
r3  :  c4[Sj,S„]-»0 

or 

r3  :  c4[c1(t1(m1(y1))),t4(m4(y4))]^0  (29) 


Fig.  8.  Oriented  graph  (top),  in  which  the  arrows  indicate  the  order  of  matching, 
and  dependency  matrix  (bottom)  of  the  residuals. 

Fig.  8.  It  should  be  noted  that  transforms  ti,...,t4  are  omitted 
from  the  dependency  matrix,  because  these  transforms  are  based 
on  a  mathematical  definition  and  it  cannot  fail. 

The  residuals  can  be  expressed  in  analytical  form  as 


The  incidence  matrix  and  the  matching  are  shown  in  Table  f. 
Unmatched  constraints  are  denoted  by  ‘->0’. 

It  is  easily  noted  that  three  constraints  are  unmatched  and  that 
they  are  the  basis  of  the  residual  generation.  The  oriented  graph 
of  the  system  is  shown  in  the  upper  part  of  Fig.  8.  The  output  of 
the  unmatched  constraints  is  labelled  zero  and  they  are  the 
(three)  system  residuals.  From  the  oriented  graph,  it  is  noted  that 
in  order  to  match  Sr,  z  should  first  be  matched  from  the  known 
variable  y\  and  the  measurement  equation  mi;  Sz  from  the 
transform  t,  and,  finally,  Sf  from  the  constraint  c,.  The  depen¬ 
dency  matrix  of  the  three  residuals  is  shown  in  the  lower  part  of 


{g(yi)K®e) 

(g(y2)}(®e) 

*2z(oje) 

&e(0)e) 

{g(y,  )}«»e) 

{g(y3)K®e) 

<t>z((!)e) 

^(«e) 

fg(y,)}(OJe) 

{gO^K®.) 

&%(COe) 

<«oe) 

(30) 

(31) 

(32) 


Isolability  can  be  enhanced,  however,  by  creating  residuals  that 
are  derived  from  the  original  three.  A  combination  of  these 
residuals  could  also  be  used  as  residual  generators  and,  by  linear 
combination,  the  following  holds: 


Incidence  matr 

r4  : 

{g(y2)}(ffle) 

&e(coe) 

{g(y3)}(cae)  0 

(33) 

"  *  * 

!  C3  C4  ti  t2 

t3  t4  m,  m2  m3  m4 

^(«e) 

yi  1  1 

y2  t 

1 

1  1 

r5  ■ 

W(y2)}(COe) 

{g(y4)K®e)  0 
«P„(coe) 

(34) 

£ 

1 

1  1 

r6  : 

my-Moh) 

{gO^KCUe)  0 

(35) 

0  1  1 

111 

1 

«P„(coe) 

<p 

1 

1  1 

The  dependency  matrix  for  the  modified  residuals  i 

s  shown  in 

Table  2.  From  the  table,  the  following  information  about  the  variables 
n  be  obtained  by  combining  residuals  ri-r6  in  the  analysis: 


Detectable  :  Ci,  mi. 

Undetectable :  none. 

Isolable :  c2,  c3,  c4,  m2,  m3,  m4. 


U.D.  Nielsen  et  al.  /  Reliability  Engineering  and  System  Safety  104  (2012)  1-1 


In  decision  support  systems,  it  is  the  statistical  values  of  to-be- 
expected  future  responses  that  are  of  concern.  The  statistical 
value  could  for  example  be  the  variance  which  can  be  derived 
from  the  Oth-order  moment  defined  by 


l0=Io 


{g(y3)KCOe) 

I  ^(®e) 


{30^)1  d 

<^(«e)  \ 


4.  Change  detection  algorithms 


(41) 


where  Sr(oi)  is  the  response  spectrum  (of  any  considered  response). 
An  analogy  can  be  made  to  the  residuals  and  therefore  it  is  sufficient 
to  consider  integrated  versions  of  Eqs.  (30)-(35).  Integration  over 
the  entire  frequency  range  [coe,min,a>e,max]  leads  to  the  following 
residuals  which  will  be  used  as  the  final  versions  for  fault  detection: 


r'=/\ 

[{g(yi)K®e) 

{g(y2)l(®e)l 

^(COe)  J 

date 

(36) 

'2-  (\ 

[{gODKffle) 

{g(y3)}(®e)l 

d(JOe 

(37) 

2  J\ 

^(®e)  J 

wl 

[{gCVllKMe) 

[  ®2z(<Oe) 

{g(y4)}(®e)l 

^a(®e)  J 

d(oe 

(38) 

And,  the  auxiliary  residuals  are 

U’I\ 

[  <pfl(c Oe) 

{g(y3)}(ffle)l 

<^(«e)  J 

d(Oe 

(39) 

rs’l\ 

[{g(y2)l(®e) 

[  &2e(C0e) 

{g(y4)}(®e)l 

J 

d(oe 

(40) 

Table  2 

Dependency  matrix. 

Cl  c2 

C3 

m, 

m2 

m 

m4 

t  i  l 

l  l  l 


4.1.  Introduction 

In  order  to  recognise  the  occurrence  of  a  fault,  a  tool  must  be 
provided  for  real-time  fault  detection.  This  can  be  achieved  by 
applying  a  detector  as  part  of  the  residual  evaluation.  Thus,  the 
detector  will  inform  in  real-time  to  the  onboard  system  that  the 
residuals  have  changed  (when  a  fault  has  occurred). 

This  section  has  been  included  to  give  only  the  most  basics  on 
change  detectors;  the  more  complete  description  is  given  in  Lajic  [15], 

4.2.  Change  detectors 

Sequential  change  detection  algorithms,  or  sequential  detectors, 
are  the  most  common  tools  for  detecting  changes  in  a  stochastic 
system.  In  principle,  two  groups  of  detectors  can  be  distinguished, 
i.e.  detectors  for  multiplicative  faults  and  detectors  for  additive 
faults.  The  detectors  for  multiplicative  faults  are  based  on  residual 
variance  change  detection  [14],  e.g.  energy  detectors,  and,  on  the 
other  hand,  the  detectors  for  additive  faults  are  based  on  residual 
mean  change  detection,  e.g.  GLR  (generalised  likelihood  ratio  algo¬ 
rithm)  [2]  or  CUSUM  (cumulative  sum  algorithm)  [25],  All  these 
detectors  use  the  Neyman-Pearson  approach,  cf.  Kay  [14],  According 
to  the  Neyman-Pearson  approach  the  value  of  a  likelihood  ratio 
distinguishes  between  two  hypotheses,  i.e.  the  hypothesis  that  the 
fault  is  not  present  and  the  hypothesis  that  the  fault  is  present. 

4.3.  Decision  function 

Basically,  change  detectors  are  developed  from  assumptions 
about  the  probabilistic  behaviour  of  the  residual(s)  and,  mathe¬ 
matically  speaking,  the  aim  of  a  detector  is  to  map  a  residual  into 
a  decision.  In  the  Neyman-Pearson  approach  the  mapping  is 
controlled  by  a  decision  function  together  with  a  threshold  value 
that  must  not  be  exceeded  if  the  signal  (residual)  should  be 


Residual 


0  100  200  300  400  500  600  700  800  900  1000  1100  1200  1300  1400  1500  1600  1700  1800 

GLR  test  (change  in  variance) 


100  200  300  400  500  600  700  800  900  1000  1100  1200  1300  1400  1500  1600  1700  1800 
Time  [s] 


Fig.  9.  Residual  in  the  presence  of  a  multiplicative  fault  between  100  s  and  500  s  and  GLR  test  (decision  function  and  alarm)  [15]. 


U.D.  Nielsen  et  al.  /  Reliability  Engineering  and  System  Safety  104  (2012)  1-14 


considered  as  non-faulty.  In  addition  to  the  decision  function 
itself,  the  determination  of  an  appropriate  threshold  value 
becomes  a  central  element  for  change  detection.  Means  to  decide 
on  the  threshold  value  have  been  discussed  by,  e.g.,  Galeazzi  et  al. 
[  1 1  ].  An  example  of  a  decision  function  g  based  on  the  GLR  test  is 
shown  in  Fig.  9  for  an  arbitrary  residual  and  an  associated  alarm 
function;  further  details  can  be  found  in  [15], 


5.  Fault  detection  and  isolation 

5.1.  Introduction 

Onboard  decision  support  systems  rely  fundamentally  on  receiv¬ 
ing  an  estimate  of  the  sea  state,  or  the  wave  spectrum,  as  an  input 
for  the  prediction  of  relevant/critical  response  values.  One  way  to 
obtain  an  estimate  of  the  -  on-site  -  wave  spectrum  is  to  process  a 
set  of  three  measured  ship  responses  by  the  use  of  the  wave  buoy 
analogy,  e.g.  Nielsen  [20,21],  Typically,  several  responses  are  mon¬ 
itored  on  ships  and  it  is  therefore  a  matter  of  selecting  a  specific 
combination  of  these  to  be  processed  by  the  wave  buoy  analogy. 
Clearly,  it  is  absolutely  vital  that  faulty  signals  should  be  discarded 
from  the  procedure  for  sea  state  estimation  if  it  is  possible,  if  not,  the 
fault  should  be  estimated.  In  this  way,  fault  detection  and  isolation 
are  remedies  towards  increased  dependability  and  reliability  of 
shipboard  monitoring  and  decision  support  systems. 

The  present  section  serves  to  illustrate  the  derived  models  and 
the  associated  fault  diagnosis  techniques,  when  real  data  is 
analysed.  Results  will  be  given  for  a  container  ship,  where  focus 
is  on  full-scale  motion  measurements.  For  illustrative  reasons, 
faults  have  been  imposed  artificially  and,  specifically,  multiplica¬ 
tive  faults  are  studied.  It  is  noteworthy  that  other  types  of  faults 
have  been  studied;  results  are  given  by  Lajic  [15]. 

Table  3 


Length,  Lpp  275.0  m 

Breadth,  Bmld  40.0  m 

Draught,  T  12.0  m 


5.2.  Ship  responses  and  imposed  faults 

The  motion  measurements  have  been  obtained  from  a  con¬ 
tainer  ship  with  main  dimensions  as  given  by  Table  3.  In  the 
analysis  four  motion  components  are  considered;  the  sway 
motion,  the  heave  motion,  the  pitch  motion  and  the  vertical 
acceleration  at  the  centre  of  gravity.  Although  the  interest  in  this 
study  does  not  directly  concern  sea  state  estimation,  it  should  be 
noted  that  all  of  the  four  motion  components  can  be  used  as 
candidates  for  the  wave  buoy  analogy  [24],  Time  histories  of  the 
motion  components  are  shown  in  Fig.  10. 

As  examples  of  fault  scenarios,  faults  will  be  created  by 
introducing  multiplicative  faults  /,■  =  k,y,  (fq  =  5,i=  1, . . .  4)  to  the 
individual  motion  components  i.  The  faults  are  introduced  during 
the  time  interval  between  600  s  and  1300  s.  In  Fig.  11  the  ship 
responses  in  the  presence  of  the  multiplicative  faults  are  shown. 
The  value  of  the  factor  Jq  is  for  illustrative  reasons  chosen 
relatively  large;  the  procedures  have  been  tested  and  are  well¬ 
working  also  for  smaller  values. 

The  fault  signatures  are  shown  in  Table  4.  All  four  column 
vectors  are  different  from  zero  and  have  a  unique  signature, 
which  means  that  all  the  faults  are  isolable.  From  the  dependency 
matrix  of  the  residuals  ri,  r2  and  r3  (cf.  Fig.  8),  it  is  seen  that 
violation  of  each  constraint  is  isolable,  except  constraints  c,  and 
mi.  The  fault /i  is  isolable  but  from  a  theoretical  point  of  view,  it  is 
not  possible  to  distinguish  if  Ci  or  mi  is  violated.  From  a  practical 
point  of  view  there  is  no  difference;  it  is  only  important  that  all 
the  faults  can  be  isolated. 

5.3.  Residual  evaluation 

The  direct  calculation  of  the  residuals,  Eqs.  (36)— (41 ),  leads 
to  dividing  a  response  spectrum  by  the  square  of  a  correspond¬ 
ing  transfer  function.  However,  this  division  will,  in  general, 
cause  numerical  problems,  since  the  transfer  function(s)  can 
have  values  equal  to  zero  (or  close  to)  for  certain  frequencies. 
Therefore,  it  will  be  more  reliable  to  estimate  the  values  of 
the  residuals  instead  of  calculating  them  directly.  In  the  following, 
the  residual  evaluation  is  carried  out  by  an  approach  that 
has  some  resemblance  to  the  wave  buoy  analogy  [20,21], 


Heave  [m] 


0  200  400  600  800  1000  1200  1400  1600  1800 

Pithch  [deg.] 


-i - 1 - 1 - 1 - 1 - 1 - 1 - 1 - 1 - 

0  200  400  600  800  1000  1200  1400  1600  1800 


Vertical  Acceleration  [m/s2] 


Time  [s] 


Fig.  10.  Measr 


U.D.  Nielsen  et  al.  /  Reliability  Engineering  and  System  Safety  104  (2012)  1  -1 


Heave  [m] 


: 

200  400  600  800  1000  1200  1400 

Pitch  [deg.] 


•**t*n*^^^ 


0  200  400  600  800  1000  1200  1400  1600  1800 

Sway  [m] 


i.n.ill 

1 . 

0  200  400  600  800  1000  1200  1400  1600  1800 


Vertical  Acceleration  [m/s2] 


-5 - ' - 1 - I - i - ' - * - - ! - 

0  200  400  600  800  1000  1200  1400  1600  1800 

Time  [s] 


Fig.  11.  Ship  responses  with  multiplicative  faults  between  600  s  and  1300  s. 


Table  4 

Fault  signatures:  /,  is  a  fault  on  the  heave  sensor,  f2  is  a  fault  on  the  pitch  sensor, 
f3  is  a  fault  on  the  sway  sensor,  f4  is  a  fault  on  the  vertical  acceleration  sensor.  The 
residuals  r3-r6  are  defined  by  Eqs.  (36)— (41 ). 


ft  h  h  ft 


1  1 


although  the  present  procedure  is  developed  to  be  more  simple 
because  the  residual  evaluation  must  be  carried  out  continuously 
in  real-time. 

On  the  basis  of  Eqs.  (36)-(41 ),  the  residuals  are  written  in  a 
general  form  as 

f  f  [lWOK»,)]to 

J  [  0f(O3e)  J  J  [  $l(We)  J 

j,k=l,  ...,4;j¥=k;i=1i,  ...6  (42) 

Moreover,  the  significant  wave  height  is  introduced  from  the 
calculation  of  the  0-th  order  spectral  moment  of  the  wave  energy 
spectrum: 

Hs  =  4  Vino  (43) 

mo  =  J  SfiDe)  date  (44) 


Thus,  from  the  four  constraints,  Ci, . . .  C4,  and  Eq.  (43),  the  following 
expression  can  be  obtained: 


where  Hsj  is  the  significant  wave  height  that  may  be  associated  to 
the  process  which  governs  the  signal  y,.  Similarly,  the  signal  y^  can 


be  used  to  establish  the  identical  expression  for  the  k-th  process: 

In  this  way,  the  problem  of  the  residual  calculation  becomes  a 
problem  of  estimating  the  significant  wave  height  by  the  use  of 
different  signals: 

*=(!¥)  ~(f¥)  ;  J’k=1 . 4;jVfc;f=1,. ...6  (47) 

Consequently,  the  approach  for  fault  detection  and  isolation 
becomes  itself  a  matter  of  sea  state  estimation.  However,  to 
simplify  and  to  avoid  numerical  problems,  some  elementary 
assumptions  will  be  made.  First  of  all,  a  (uni-modal)  parameterised 
wave  spectrum  is  introduced  to  describe  the  wave  energy  dis¬ 
tribution  as  a  function  of  (wave)  frequency  a>.  Herein,  the  Pierson- 
Moskowitz  spectrum  is  considered  [13]: 

SpM(w)  =  47r3Hs2rz(®rz)-5e“"3(raT*/2)"‘  (48) 

where  Tz  is  the  zero-crossing  period.  Two  other  assumptions  are 
imposed,  so  that  (1)  only  long-crested  waves  are  considered  and 
(2)  the  wave  direction  is  taken  to  be  identical  to  the  wind  direction. 
All  together,  the  residual  evaluation  has  been  transformed  into  an 
optimisation  problem  in  the  variables  Hs  and  Tz.  The  cost  function 
is  established  somewhat  arbitrarily  by  comparing,  frequency-wise, 
calculated  and  measured  values  of  a  given  response  spectrum  and 
integrating.  The  cost  function  takes  the  form 

E,=  Jo  ^SpM(o>)<J>f(oj) |£(-Sl(«e)]  dcoe  (49) 

where  Sf  is  the  response  spectrum  obtained  from  the  signal  yj.  This 
means  that  an  optimised  set  of  parameters  (HS,TZ)  is  determined 
from  each  of  the  considered  sensor  signals,  and  from  this  set  the 
significant  wave  height  is  applied  to  Eq.  (47). 

5.4.  Results  and  discussion 

Multiplicative  faults,  /,  =  k^y,  (k,  =  5,i=  1, . . .  ,4),  have  been 
imposed  to  all  sensor  signals,  and  an  example  of  the  behaviour 


U.D.  Nielsen  et  al.  /  Reliability  Engineering  and  System  Safety  104  (2012)  1-14 


40 
20 
0 

-20 

-40 

200  400  600  800  1000  1200  1400  1600  1800 


r3  [m2]  (no  fault) 


r3  [m2]  (multiplicative  fault  -  heave) 


200  400  600  800  1000  1200  1400  1600  1800 


40  | — 
20  - 
0  — 
-20  - 
-40  L- 
200 


r3  [m2]  (multiplicative  fault  -  accelerometer) 


400  600  800  1000  1200  1400 

Time  [s] 


1600 


1800 


Fig.  12.  Residual  r3  in  non-faulty  and  faulty  cases. 


r !  (multiplicative  fault  -  heave  sensor) 


c,  (multiplicative  fault  -  pitch  sensor) 


Fig.  13.  Residual  r,  in  faulty  cases  for  heave  (left)  and  pitch  (right).  GLR  test  results — decision  function  and  alarm. 


% 


r2  (multiplicative  fault  -  heave  sensor) 

40 
20 
0 

-20 
^to 

200  400  600  800  10001200140016001800 
GLR  test  (decision  function) 

20 
10 


200  400  600  800  10001200140016001800 


r2  (multiplicative  fault  -  sway  sensor) 
40  - ■ - ’ - ■ - ’ - ; - ’ - ’ - 


-  -20  -  : 

.40  - ' - ■ - * - ‘ - ' - 1 - ‘ - 

200  400  600  800  10001200140016001800 


GLR  test  (decision  function) 


200  400  600  800  10001200140016001800 


200  400  600  800  10001200140016001800 
Time  [s] 


200  400  600  800  10001200140016001800 
Time  [s] 


Fig.  14.  Residual  r2  in  faulty  cases  for  heave  (left)  and  pitch  (right).  GLR  test  results — decision  function  and  alarm. 


U.D.  Nielsen  et  al.  /  Reliability  Engineering  and  System  Safety  104  (2012)  1-1 


of  one  of  the  residuals  formed  by  Eq.  (47)  is  given  in  Fig.  12.  In  the 
plots,  the  residual  r3  is  shown  in  a  non-faulty  case  (upper  plot) 
and  in  the  presence  of  faults  on  the  heave  (middle  plot)  and  the 
acceleration  (lower  plot)  sensors.  The  sensitivity  of  r3  to  a  fault, 
being  it  on  one  or  the  other  sensor,  is  clearly  seen.  The  other 
residuals,  r1,r2,r4,r5,r6,  behave  very  similar  and,  although  not 
shown,  the  plots,  made  like  those  in  Fig.  12,  exhibit  an  identical 
sensitivity  to  the  imposed  faults,  cf.  Lajic  [15]. 

In  the  case  of  residual  evaluation  in  the  presence  of  a  multi¬ 
plicative  fault,  it  is  common  to  use  detectors  for  change  in  the 
variance  of  the  residual  [14,15],  However,  in  the  present  work  the 
residuals  have  been  obtained  by  an  optimisation  procedure  from 
the  measured  signals.  Therefore,  even  in  the  case  of  a  multi¬ 
plicative  fault,  the  presence  of  a  fault  will  be  reflected  as  a  change 
in  the  mean  value  of  the  residual.  For  this  reason  the  residuals  are 
evaluated  by  a  scalar  GLR  test  [15].  The  alarm  diagram  is 
constructed  using  a  decision  function  and  an  appropriate  thresh¬ 
old.  The  value  of  the  threshold  has  been  selected  using  an 


empirical  method  outlined  by  Galeazzi  et  al.  [1 1  ].  In  this  approach 
the  threshold  value  should  be  determined  on  the  basis  of  healthy 
and  faulty  data.  A  computation  of  the  decision  function  based  on  a 
set  of  healthy  data  makes  it  possible  to  determine  the  typical 
range  of  values  of  this  function  in  the  absence  of  fault,  and  to  set 
the  threshold  in  such  a  way  that  false  alarms  are  avoided  [8], 
which  is  absolutely  fundamental  for  the  end-users  to  have  trust  in 
any  developed  system.  Details  of  the  applied  empirical  method  is 
found  in  Lajic  [15]. 

The  results  of  the  GLR  test  (decision  function  and  alarm)  for 
the  residual  r,  are  shown  in  Fig.  13.  It  is  easily  seen  that  the 
system  is  in  an  alarm  condition  in  the  time  interval  between  600  s 
and  1300  s,  which  is  the  interval  of  the  presence  of  the  fault.  In 
Figs.  14-18  the  results  of  the  GLR  test  for  the  other  residuals  are 
given.  It  is  seen  that  the  GLR  test  is  able  to  detect  the  presence  of 
the  faults  in  all  the  residuals.  In  general,  it  is  observed  that  the 
GLR  test  turns  the  alarm  on  and  off  instantaneously,  at  the 
initiation  of  the  fault  and  at  the  end,  although  a  small  delay  in 


r3  (multiplicative  fault  -  heave  sensor) 


200  400  600  800  10001200140016001800 
GLR  test  (decision  function) 

20 - ; - ; - ; - ; - ; - ; - ; - 


200  400  600  800  10001200140016001800 
Time  [s] 


r3  (multiplicative  fault  -  accelerometer) 


Time  [s] 


Fig.  15.  Residual  r3  in  faulty  cases  for  heave  (left)  and  pitch  (right).  GLR  test  results— decision  function  and  alarm. 


r4  (multiplicative  fault  -  pitch  sensor) 


„  20 


200  400  600  800  10001200140016001800 
GLR  test  (decision  function) 


200  400  600  800  10001200140016001800 
Time  [s] 


r4  (multiplicative  fault  -  sway  sensor) 


Time  [s] 


Fig.  16.  Residual  r4  in  faulty  cases  for  heave  (left)  and  pitch  (right).  GLR  test  results— decision  function  and  alarm. 


U.D.  Nielsen  et  al.  /  Reliability  Engineering  and  System  Safety  104  (2012)  1-14 


r5  (multiplicative  fault  -  accelerometer) 

40 
20 
£  o 
-  -20 
-40 

200  400  600  800  10001200140016001800 
GLR  test  (decision  function) 

20  - 

m  10 


200  400  600  800  10001200140016001800 


GLR  test  (alarm) 


200  400  600  800  10001200140016001800 
Time  [s] 


r5  (multiplicative  fault  -  pitch  sensor) 


Time  [s] 


Fig.  17.  Residual  r5  in  faulty  cases  for  heave  (left)  and  pitch  (right).  GLR  test  results— decision  function  and  alarm. 


r6  (multiplicative  fault  -  accelerometer) 


200  400  600  800  10001200140016001800 
GLR  test  (decision  function) 


200  400  600  800  10001200140016001800 
GLR  test  (alarm) 


200  400  600  800  10001200140016001800 
Time  [s] 


r6  (multiplicative  fault  -  sway  sensor) 


Time  [s] 


Fig.  18.  Residual  r6  in  faulty  cases  for  heave  (left)  and  pitch  (right).  GLR  test  results — decision  function  and  alarm. 


the  detection  is  noticed  by  close  inspection.  However,  in  practice, 
it  is  typically  a  valid  assumption  to  consider  the  sea  state  as 
changing  slowly.  Thus,  the  sea  state  is  assumed  to  remain 
essentially  constant  for  periods  of  the  order  of  20-30  min  at 
least.  Consequently,  a  small  delay  in  the  alarm  is  not  critical  for 
this  kind  of  onboard  systems. 


6.  Summary  and  conclusions 

In  the  present  work,  ideas  and  approaches  to  increase  the 
reliability  and  dependability  of  monitoring  and  decision  support 
systems  have  been  developed.  In  this  context,  matters  of  ship 
safety  are  the  main  concern  for  the  studied  systems.  Specifically, 
fault  diagnosis  techniques  have  been  considered  for  onboard 
systems  aiming  at  operator  guidance  with  respect  to  course  and 
speed  of  the  vessel.  Decision  support  systems  need  an  estimate  of 
the  on-site  sea  state  as  a  fundamental  input.  In  case  sea  state 


estimation  is  conducted  by  the  wave  buoy  analogy  [20,21]  the 
best  solution  is  to  use  three  different  ship  responses  and  usually 
several  responses  are  available  on  today’s  commercial  and  naval 
vessels.  However,  faulty  signals  should  be  discarded  from  the 
procedure  for  sea  state  estimation  if  it  is  possible,  if  not  the  fault 
should  be  estimated. 

In  the  paper  a  specific  and  novel  model  for  fault  diagnosis  have 
been  discussed.  The  new  numerical  procedure  is  derived  in  the 
frequency  domain  and  relies  on  linear  spectral  analysis.  In  this  way, 
it  is  possible  to  define  equations  which  correlate  different  ship 
responses  through  corresponding  transfer  functions.  The  model  was 
tested  using  full-scale  motion  measurements  from  a  container  ship, 
where  the  data  was  analysed  as  a  post-voyage  process.  The  follow¬ 
ing  points  can  be  associated  to  the  outcome  of  the  test: 

•  Multiplicative  faults  were  added  artificially  to  the  motion 
measurements  and  the  sensitivity  of  the  residuals  to  the 
sensor  fault  was  investigated. 


U.D.  Nielsen  et  al.  /  Reliability  Engineering  and  System  Safety  104  (2012)  1-1 


•  The  residuals  were  based  on  wave  height  estimation  and  were 
evaluated  by  the  GLR  test. 

•  All  the  imposed  faults  were  detected  and  isolated. 

Fault  detection  and  isolation  are  very  important  elements  in  the 
design  of  fault-tolerant  decision  support  systems  and  this  study 
has  outlined  remedies  that  can  be  applied  for  this  purpose,  when 
the  ship  responses  are  assumed  to  be  linear  in  the  wave  excita¬ 
tion.  In  case  of  a  non-linear  model,  Lajic  [15]  should  be  consulted 
and  [15]  also  discusses  the  possibility  to  use  Volterra  theory  for 
transforming  a  non-linear  time  domain  model  into  a  frequency 
domain  model  without  linearisation. 

6.1.  Future  work 

In  the  future,  the  frequency  domain  model  should  be  made 
even  more  robust.  In  particular,  it  would  be  of  interest  to  consider 
the  behaviour  to  faults  imposed  as  (slow)  drifts  in  signals,  since 
this  is  a  difficult  but  highly  relevant  problem.  Moreover,  it  should 
be  considered  to  relax  on  the  crude  assumptions  imposed  in  the 
sea  state  estimation  carried  out  as  part  of  the  residual  evaluation. 
This  includes,  among  others,  the  introduction  of  more  realistic  bi- 
modal  wave  spectra,  and  to  consider  scenarios  where  the  wave 
direction  is  not  necessarily  equal  to  the  wind  direction. 


Acknowledgment 

The  authors  would  like  to  express  their  sincere  thanks  to 
Professor  Mogens  Blanke  for  many  valuable  comments. 

References 


[1]  Aschehoug  M.  Scientific  paper  on  the  sea  state  estimation  methodology. 
Technical  Report,  SIREHNA,  France,  2003  [Paper  prepared  in  the  HullMon+ 
project], 

[2]  Basseville  M,  Nikiforov  I.  Detection  of  abrupt  changes:  theory  and  applica¬ 
tion.  Prentice-Hall;  1993. 

[3]  Blanke  M.  Enhanced  maritime  safety  through  diagnosis  and  fault  tolerant 
control.  In:  Proceedings  of  the  5th  IFAC  conference,  CAMS’2001,  Glasgow,  UK, 
2001  [Invited  pleanary], 

[4]  Blanke  M.  Fault-tolerant  and  diagnostic  methods  for  navigation.  In:  Proceed¬ 
ings  of  the  9th  international  conference  on  marine  engineering  systems, 
ICMES'2003,  Helsinki,  Finland,  2003. 

[5]  Blanke  M.  Diagnosis  and  fault-tolerant  control  for  ship  station  keeping.  In: 
Symposium  on  intelligent  control  and  13th  Mediterranean  conference  on 
control  and  automation,  Limassol,  Cyprus,  2005. 

[6]  Blanke  M.  Fault-tolerant  Sensor  Fusion  for  marine  navigation.  In:  Proceedings 
of  the  7th  IFAC  conference  on  manoeuvring  and  control  of  marine  craft, 
Lisbon,  Portugal,  2006. 


[7]  Blanke  M,  Izadi-Zamanabadi  R,  Lootsma  TF.  Fault  monitoring  and  re-config- 
urable  control  for  a  ship  propulsion  plant.  International  Journal  of  Adaptive 
Control  and  Signal  Processing  1998;12:253-263. 

[8]  Blanke  M,  Kinnaert  M,  Lunze  J,  Starosweicki  M.  Diagnosis  and  fault-tolerant 
control.  Springer;  2006. 

[9]  DNV,  User  manual:  Wasim,  2005  [Technical  documentation  by  DNV.J. 

[10]  Galeazzi  R,  Blanke  M,  Poulsen  NK.  Detection  of  parametric  roll  resonance  on 
ships  from  indication  of  nonlinear  energy  flow.  In:  Proceedings  of  the  7th 
IFAC  symposium  on  fault  detection,  supervision  and  safety  of  technical 
processes,  Barcelona,  Spain,  2009. 

[11]  R.  Galeazzi,  M.  Blanke,  N.K.  Poulsen,  Parametric  roll  resonance  detection 
using  phase  correlation  and  log-likelihood  testing  techniques.  In:  Proceed¬ 
ings  of  the  8th  IFAC  international  conference  on  manoeuvring  and  control  of 
marine  craft,  MCMC’2009,  Guaruja,  Brazil,  2009. 

[12]  Iseki  T,  Ohtsu  IC  Bayesian  estimation  of  directional  wave  spectra  based  on 
ship  motions.  Control  Engineering  Practice  2000;8:215-219. 

[13]  Jensen  JJ.  Load  and  global  response  of  ships.  Elsevier  ocean  engineering  book 
series,  vol.  4.  Elsevier;  2001. 

[14]  Kay  SM.  Fundamentals  of  statistical  signal  processing:  detection  theory,  vol. 
II.  Prentice-Hall  PTR;  1998. 

[15]  Lajic  Z.  Fault-tolerant  onboard  monitoring  and  decision  support  systems.  PhD 
thesis,  Department  of  Mechanical  Engineering,  Technical  University  of  Den¬ 
mark;  December  2010. 

[16]  Lajic  Z.  Blanke  M,  Nielsen  UD.  Fault  isolation  for  shipboard  decision  support. 
In:  Proceedings  of  the  7th  IFAC  symposium  on  intelligent  autonomous 
vehicles.  Lecce,  Italy:  IFAC;  2010. 

[17]  Lajic  Z,  Nielsen  UD.  Fault  detection  for  shipboard  monitoring  and  decision 
support  systems,  in:  Proceedings  of  the  of  OMAE’09.  Honolulu,  HI,  USA: 
ASME;  2009. 

[18]  Lajic  Z,  Nielsen  UD,  Blanke  M.  Fault  isolation  and  quality  assessment  for 
shipboard  monitoring.  In:  Proceedings  of  the  29th  OMAE.  Shanghai,  China: 
ASME;  2010. 

[19]  Miller  JG.  Living  systems.  University  Press  of  Colorado;  1995. 

[20]  Nielsen  UD.  Estimations  of  on-site  directional  wave  spectra  from  measured 
ship  responses.  Marine  Structures  2006;19:33-69. 

[21]  Nielsen  UD.  Introducing  two  hyperparameters  in  Bayesian  estimation  of 
wave  spectra.  Probabilistic  Engineering  Mechanics  2008;23:84-94. 

[22]  Nielsen  UD,  Jensen  JJ.  A  novel  approach  for  navigational  guidance  of  ships 
using  onboard  monitoring  systems.  Ocean  Engineering  2011;38:444-455. 

[23]  Nielsen  UD,  Jensen  JJ,  Pedersen  PT,  Ito  Y.  Onboard  monitoring  of  fatigue 
damage  rates  in  the  hull  girder.  Marine  Structures  2011;24:182-206. 

[24]  Nielsen  UD,  Stredulinksy  DC.  Sea  state  estimation  from  an  advancing  ship — a 
comparative  study  using  sea  trial  data.  Applied  Ocean  Research  2012;34: 
33-44. 

[25]  Page  ES.  Continuous  inspection  schemes.  Biometrika  1954;41:100-115. 

[26]  Pascoal  R,  Guedes  Soares  C.  Kalman  filtering  of  vessel  motions  for  ocean  wave 
directional  spectrum  estimation.  Ocean  Engineering  2009;36:477-488. 

[27]  Pascoal  R,  Guedes  Soares  C,  Sorensen  AJ.  Ocean  wave  spectral  estimation 
using  vessel  wave  frequency  motions.  Journal  of  Offshore  Mechanics  and 
Arctic  Engineering  2007;129:90-96. 

[28]  Denis  MSt,  Pierson  WJ.  On  the  motion  of  ships  in  confused  seas.  Transactions 
of  Society  of  Naval  Architects  and  Marine  Engineers  1953;61 :280-332. 

[29]  Tannuri  EA,  Sparano  JV,  Simos  AN,  Da  Cruz  JJ.  Estimating  directional  wave 
spectrum  based  on  stationary  ship  motion  measurements.  Applied  Ocean 
Research  2003;25:243-261. 

[30]  Tiano  A,  Lajic  Z,  Carreras  M.  Adaptive  control  of  underwater  vehicles.  In: 
Proceedings  of  the  7th  IFAC  international  conference  on  manoeuvring  and 
control  of  marine  craft,  MCMC’2006,  Lisbon,  Portugal,  2006. 

[31]  Wu  NES,  Thavamani  S,  Zhang  YM,  Blanke  M.  Sensor  fault  masking  of  a  ship 
propulsion  system.  Control  Engineering  Practice  2006;14:1337-1345. 


